Patch from Kevin F. Quinn at https://bugs.gentoo.org/show_bug.cgi?id=135745
Already applied in sandbox svn

Makes sandboxed open() calls return the normal error conditions if the
file in question does not exist, without causing a sandbox violation.
This allows programs to use open() to test for file existance, regardless
of read-write flags. This is not revealing any further information about
the backing system because this data was already available through stat().

Index: src/libsandbox.c
===================================================================
--- src/libsandbox.c.orig
+++ src/libsandbox.c
@@ -80,6 +80,9 @@
 #define FUNCTION_SANDBOX_SAFE_ACCESS(_func, _path, _flags) \
 	((0 == is_sandbox_on()) || (1 == before_syscall_access(_func, _path, _flags)))
 
+#define FUNCTION_SANDBOX_FAIL_OPEN_INT(_func, _path, _flags) \
+	((0 == is_sandbox_on()) || (1 == before_syscall_open_int(_func, _path, _flags)))
+
 #define FUNCTION_SANDBOX_SAFE_OPEN_INT(_func, _path, _flags) \
 	((0 == is_sandbox_on()) || (1 == before_syscall_open_int(_func, _path, _flags)))
 
@@ -388,6 +391,16 @@ static FILE * (*true_ ## _name) (const c
 FILE *_name(const char *pathname, const char *mode) \
 { \
 	FILE *result = NULL; \
+	int my_errno = errno; \
+	struct stat st; \
+\
+	if (mode!=NULL && mode[0]=='r') { \
+		/* If we're trying to read, fail normally if file does not stat */\
+		if (-1 == stat(pathname, &st)) { \
+			return NULL; \
+		} \
+	} \
+	errno = my_errno; \
 \
 	if FUNCTION_SANDBOX_SAFE_OPEN_CHAR("fopen", pathname, mode) { \
 		check_dlsym(_name); \
@@ -561,12 +574,20 @@ int _name(const char *pathname, int flag
 	va_list ap; \
 	int mode = 0; \
 	int result = -1; \
+	int my_errno = errno; \
+	struct stat st; \
 \
 	if (flags & O_CREAT) { \
 		va_start(ap, flags); \
 		mode = va_arg(ap, int); \
 		va_end(ap); \
+	} else { \
+		/* If we're not trying to create, fail normally if file does not stat */\
+		if (-1 == stat(pathname, &st)) { \
+			return -1; \
+		} \
 	} \
+	errno = my_errno; \
 \
 	if FUNCTION_SANDBOX_SAFE_OPEN_INT("open", pathname, flags) { \
 		check_dlsym(_name); \
@@ -726,6 +747,16 @@ static FILE * (*true_ ## _name) (const c
 FILE *_name(const char *pathname, const char *mode) \
 { \
 	FILE *result = NULL; \
+	int my_errno = errno; \
+	struct stat64 st; \
+\
+	if (mode!=NULL && mode[0]=='r') { \
+		/* If we're trying to read, fail normally if file does not stat */\
+		if (-1 == stat64(pathname, &st)) { \
+			return NULL; \
+		} \
+	} \
+	errno = my_errno; \
 \
 	if FUNCTION_SANDBOX_SAFE_OPEN_CHAR("fopen64", pathname, mode) { \
 		check_dlsym(_name); \
@@ -746,12 +777,20 @@ int _name(const char *pathname, int flag
 	va_list ap; \
 	int mode = 0; \
 	int result = -1; \
+	int my_errno = errno; \
+	struct stat64 st; \
 \
 	if (flags & O_CREAT) { \
 		va_start(ap, flags); \
 		mode = va_arg(ap, int); \
 		va_end(ap); \
+	} else { \
+		/* If we're not trying to create, fail normally if file does not stat */\
+		if (-1 == stat64(pathname, &st)) { \
+			return -1; \
+		} \
 	} \
+	errno = my_errno; \
 \
 	if FUNCTION_SANDBOX_SAFE_OPEN_INT("open64", pathname, flags) { \
 		check_dlsym(_name); \